Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Remnants of Live Security Platinum on My Computer? [Solved]

PantheraCantus

Posted 13 July 2012 - 03:09 PM

PantheraCantus

Member

Member

19 posts

Hello!Please forgive the length of the description of my problem, as I have been trying to deal with it myself for quite some time now, and I would like to be able to provide you with all of the information I can recall, and as accurately as possible.

Last Saturday (July 7th, around 3:15 pm CST), I visited a good friend's Tumblr page that only hosted her personal vacation images, and almost immediately afterward, fake alerts for Live Security Platinum began. My browser (Firefox) shut down shortly after that. I believed that my computer may have somehow contracted the Live Security Platinum virus through it, perhaps due to the music or background she used for the page, but I'm not quite sure. Since it was almost a week ago, I, regretfully, do not remember the exact processes I tried and in what order, but I began looking up more information on the virus online and trying some recommended programs. OTL has worked for me in the past, so I used it early on, but it detected nothing from a full scan. I also used MalwareBytes (including attempting the process that requires accessing the Chameleon file). Initially, it found some trojans and removed them, but the problem persisted, and future scans with that program turned up clean for a while. I also attempted Anvi Smart Defender and their personal fix for Live Security Platinum, which did not work. Like MalwareBytes, Anvi Smart Defender found trojans and removed them, but it did not change anything. I also purchased Spyware Doctor after I ran a trial scan and it found over twenty trojans that the other programs were missing. While it found and removed them, like the others, it fixed nothing. I also tried Registry Mechanic (which I already had purchased), and it removed the couple of malicious processes it found, but it didn't help. The same story with KingSoft's full malware scanner.

At some point, the fake alerts stopped, but I opened Internet Explorer (to download another cleaner, which I did not get the chance to do yet), and the alerts began again. So, following the advice of one removal guide I had found, I entered a fake registration key to end the alerts, which worked and left me to deal only with the virus, itself, once again. After this, almost all of those scans I've mentioned by name were finding trojans again, and on a regular basis. I believe it was sometime after this that I restarted after a scan with Spyware Doctor (which had found trojans and wanted to shut down to remove them) and Windows could not start normally. It said that it could either go ahead and take me to the user login with these problems or try to fix the problem. I allowed it to go ahead and try to fix the problem, and it asked if I wanted to return to a restoration point. I refused, and it continued to try to fix it. Eventually, it rebooted itself and Windows was able to begin normally. When I logged in, scans were still turning up with trojans.

Finally, after running these programs several times and attempting some others that I downloaded for a short time and then deleted afterward (because they either required purchasing to do any removal processes or they were ineffective), I used GridinSoft's Trojan Killer program (in trial mode) on Monday (July 9), and it appeared to have removed everything, as scans were coming up clean and I was able to use the web without any trouble.

However, while using Firefox on July 11th, Adobe Flash wanted to update. I was leery and refused, but it came back up two more times, so I finally gave in and let it update. Immediately, Spyware Doctor began going off, telling me that a worm had infected my computer (and, if memory serves, ".rootkit" was in the name). Spyware Doctor began running, and my computer blue screened and restarted itself. After logging in, my computer was slow, so I went to restart it again, and Windows wanted to update. It installed 11 updates on my computer (which is more than I'm used to - the most it's ever installed on this laptop or my previous one was three at a time), then shut down. Upon startup, I saw something I'd never seen before. When the animated Windows icon was on (my OP is Windows 7), several file names were displayed below the icon, along with a message saying that the operations were being changed. I could not catch the names, since they were cut off, but I saw several registry files. It said that 29,000-something files were changed.

After this, I hit my computer with some of those programs aforementioned (MalwareBytes, Kingsoft PC Defender and Kingsoft Antivirus, Anvi Smart Defender, Spyware Doctor, Registry Mechanic, and OTL), with most of them finding and removing trojans, only to find them back on my computer the next time I scan with them. The Trojan-Killer program that I thought had been effective before now requires me to purchase the program to use it, but the free scan continues to find several trojans even after MalwareBytes and the others are run and clean off several trojans. Once again, Windows did not start normally and I asked it to run a fix. This time, I approved a restoration point, but the trojan is still there, and Windows underwent that same process of downloading the 11 updates and changing some 29,000 files. I have run no scans or fixes today, but I was still coming up with trojans on scans late last night, so I do not expect that it is gone. However, my browsers are not slow, nor is my computer, itself.

I am terribly sorry for not paying more attention to exactly what programs I ran, in what order, or exactly when some of these events occurred, as I honestly thought I'd be able to remove it without having to trouble you on the forums. But if you are able to help in any way at all, I would greatly appreciate it!

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.

Accept the disclaimer and allow to update if it asks

When finished, it shall produce a log for you.

Please include the C:\ComboFix.txt in your next reply.

Notes:1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

PantheraCantus

Posted 14 July 2012 - 04:19 PM

PantheraCantus

Member

Topic Starter

Member

19 posts

Thank you so much for your response!I followed the process you requested and have an OTL logfile, but the ComboFix has been stuck on this message (on a window with a blue background, titled “Administrator: .”) for about three hours now:“Please wait.ComboFix is preparing to run.

Attempting to create a new System Restore point”With a typing underscore blinking in the line directly below it.

So, I suspect that something might have interfered with it and caused it to stall. I did not click the application, but I did manually create a desktop icon for it as it began running, which is probably what caused it to stall. I’m sorry about this.

Also, I will PM you the link to my friend’s page. I was talking with her earlier today, and she told me that her desktop icons were randomly rearranged. I had the same problem shortly after the Live Security Platinum alerts began, so I told her that and she began running a scan on her computer. She is out right now, so I have not heard back from her about the results of her scan. I think your theory about her Tumblr page being hacked is probably correct.

Extract wintoboot to your desktopInsert a USB drive of at least 4GB Run Wintoboot

Drag and drop the Windows 7 ISO to the programme in the space indicated Tick the Format box and accept the warnings Press Do It

You will see it progressing

It will let you know when it is doneThen copy FRST to the same USB

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this although yours will say windows 7. Click repair my computer

Select your operating system

Select Command prompt

At the command prompt type the following :

notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst64.exe and press EnterNote: Replace letter e with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]]Here[/color][/url]

PantheraCantus

Posted 15 July 2012 - 03:08 PM

PantheraCantus

Member

Topic Starter

Member

19 posts

The files are all on the flash drive and ready to go, but I cannot seem to get my computer to boot from the USB. I read the article you sent me on how to do it, and I can change boot options, but my choices under the Boot Manager page are as follows:

Hard DriveCD/DVD/BDNetworkDiagnosticsEnter Setup

I tried the "CD/DVD/BD" option first, and it booted normally with the USB. Same when I tried the "Hard Drive" option with the USB in. So, I tried "Enter Setup" and manually scrolled over to the boot options, and the option for a USB or external hardrive is still not there. The options are still only for a Hard Drive, DC/DVD/BD, or Network.

Essexboy

Posted 15 July 2012 - 03:19 PM

Hm weird all windows 7 systems I have come across have that option in the BIOS which was why I used it

OK next step then

Resrt the computer and press F8 to get to safe mode, is there an option repair my computer ?

If there is then select that followed by command promptInsert the USB with FRST64 on itThen do the following

At the command prompt type the following :

notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst64.exe and press EnterNote: Replace letter e with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

0

Advertisements

PantheraCantus

Posted 15 July 2012 - 03:28 PM

PantheraCantus

Member

Topic Starter

Member

19 posts

I thought it was strange, too, since my computer is not very old.

Yes, the option is there. I selected it, and it's giving me system recovery options, beginning with "Select a language", which is auto-selected for English, and then "Select a keyboard input method", which I am able to change. Should I go through with those?

Essexboy

Posted 15 July 2012 - 03:45 PM

PantheraCantus

Posted 15 July 2012 - 03:52 PM

PantheraCantus

Member

Topic Starter

Member

19 posts

Here is the log from my flash drive:

Scan result of Farbar Recovery Scan Tool Version: 15-07-2012
Ran by SYSTEM at 15-07-2012 16:41:16
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001